Skip to content

Legal

Data Processing Agreement

Last updated: January 01, 2025

This Data Processing Agreement ("DPA") forms part of the agreement between Genira Pte. Ltd. ("Genira," "Processor") and the customer entity ("Customer," "Controller") that has executed an Order Form or otherwise agreed to Genira's Terms of Service. This DPA applies where Genira processes Personal Data on behalf of the Customer in connection with the Services, and is intended to satisfy the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR") and equivalent national laws.

In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail to the extent of the conflict with respect to the processing of Personal Data.

Table of Contents

  1. Definitions
  2. Scope and Nature of Processing
  3. Processor Obligations
  4. Customer Obligations
  5. Sub-processors
  6. Security Measures
  7. Security Incident Notification
  8. International Data Transfers
  9. Data Subject Rights Assistance
  10. Audit Rights
  11. Term and Termination
  12. Contact

1. Definitions

Capitalised terms not otherwise defined herein have the meaning given in the GDPR or the Terms of Service.

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Genira on behalf of the Customer in connection with the Services.
  • "Processing" has the meaning given in the GDPR and "process" and "processes" shall be construed accordingly.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Genira to process Personal Data on behalf of the Customer.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the clauses adopted by the European Commission under Decision 2021/914/EU for the transfer of Personal Data to third countries.

2. Scope and Nature of Processing

Genira processes Personal Data solely on behalf of and under the documented instructions of the Customer for the purposes of providing the Services. The subject-matter, duration, nature, and purpose of the processing, as well as the type of Personal Data and categories of Data Subjects, are set out below:

Subject-matterProcessing of Personal Data required to deliver the Genira eClinical platform and associated services.
DurationFor the term of the Services Agreement, plus any retention period required by applicable law.
Nature and purposeHosting, storage, retrieval, structuring, transmission, and deletion of Personal Data to provide SaaS platform functionality, including pharmacovigilance case management, quality management, clinical data capture, and AI-assisted workflows.
Type of Personal DataContact information (name, email, job title); user authentication data; health and clinical trial data as submitted by the Customer; audit trail and activity logs.
Categories of Data SubjectsCustomer employees and contractors; clinical trial investigators and site staff; study participants (as applicable); patients and healthcare professionals referenced in adverse event reports.

3. Processor Obligations

Genira shall, with respect to Personal Data processed under this DPA:

  • Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law;
  • Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations;
  • Implement the technical and organisational security measures described in Section 6;
  • Respect the conditions for engaging Sub-processors as set out in Section 5;
  • Taking into account the nature of the processing, assist the Customer in fulfilling its obligation to respond to Data Subject requests under applicable law;
  • Assist the Customer in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, and prior consultation);
  • At the Customer's choice, delete or return all Personal Data upon termination of the Services, unless applicable law requires continued storage;
  • Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Customer or its mandated auditor.

4. Customer Obligations

The Customer warrants and represents that:

  • It has a valid legal basis for processing Personal Data and for providing it to Genira;
  • Any instructions it provides to Genira comply with applicable data protection laws;
  • It is responsible for the accuracy, quality, and legality of Personal Data submitted to the Services;
  • It will maintain appropriate records of processing activities and implement necessary consents or notices for Data Subjects.

5. Sub-processors

The Customer provides a general authorisation for Genira to engage Sub-processors, subject to the following conditions:

  • Genira shall impose data protection obligations on Sub-processors equivalent to those set out in this DPA;
  • Genira shall maintain a current list of Sub-processors and make it available to Customers upon request;
  • Genira shall provide at least thirty (30) days' notice of any intended changes to Sub-processors, giving the Customer an opportunity to object;
  • Where the Customer objects, Genira shall use reasonable efforts to find an alternative. If no satisfactory alternative exists, the Customer may terminate the relevant Services on thirty (30) days' written notice.

Sub-processor List

A current list of Sub-processors, including their role, location, and applicable safeguards, is available to Customers upon written request to privacy@genira.ai. Sub-processors are engaged only where they are subject to data protection obligations equivalent to those set out in this DPA.

6. Security Measures

Genira implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption at rest and in transit using industry-standard algorithms (AES-256 for storage, TLS 1.2+ for transmission);
  • Access controls based on the principle of least privilege, including multi-factor authentication for administrative access;
  • Audit logging of all access to and operations on Personal Data;
  • Regular penetration testing and vulnerability assessments by qualified third parties;
  • Business continuity and disaster recovery procedures with defined RPO and RTO targets;
  • Employee training on data protection and information security at least annually;
  • Incident response procedures designed to detect, contain, and remediate Security Incidents.

Full details of Genira's security programme are available on the Security page.

7. Security Incident Notification

In the event of a confirmed Security Incident affecting Personal Data, Genira shall:

  • Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the Security Incident;
  • Provide the following information in the notification: description of the nature of the incident; categories and approximate number of Data Subjects affected; categories and approximate number of records affected; likely consequences; measures taken or proposed to address the incident;
  • Co-operate with the Customer and take reasonable steps to mitigate the effects of the Security Incident.

The notification obligation does not apply where the Security Incident is unlikely to result in a risk to the rights and freedoms of natural persons.

8. International Data Transfers

Where Personal Data originating in the European Economic Area ("EEA"), the United Kingdom, or Switzerland is transferred to a country that does not benefit from an adequacy decision, Genira shall ensure an appropriate transfer mechanism is in place, including:

  • Execution of the applicable Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission;
  • Any supplementary measures required to ensure an essentially equivalent level of protection, as assessed in accordance with the EDPB guidance on transfers following Schrems II.

Upon request, Genira will provide copies of executed SCCs and any relevant transfer impact assessments.

9. Data Subject Rights Assistance

Genira provides the Customer with technical measures to assist in responding to Data Subject requests, including the ability to access, rectify, restrict, port, or erase Personal Data within the platform. The Customer remains responsible for handling Data Subject requests and for determining how to respond in accordance with applicable law.

Where Genira receives a Data Subject request directly, it will promptly forward it to the Customer and not act on it without the Customer's instruction unless required to do so by applicable law.

10. Audit Rights

Genira shall make available to the Customer, on reasonable written request, all information necessary to demonstrate compliance with this DPA. Genira may satisfy this obligation by providing documentation of its security and quality controls, aligned with ISO/IEC 27001 and ISO 9001 requirements, to the extent such documentation covers the scope of the Customer's request.

Where the Customer requires an on-site audit, the parties shall agree on the scope, timing, and cost allocation in advance. On-site audits shall not unreasonably interfere with Genira's operations and shall be conducted no more than once per calendar year absent a confirmed Security Incident.

11. Term and Termination

This DPA remains in effect for as long as Genira processes Personal Data on behalf of the Customer. Upon expiry or termination of the Services Agreement, Genira shall, at the Customer's election, either return or securely delete all Personal Data within thirty (30) days, unless applicable law requires continued retention. Genira will certify such deletion in writing upon request.

12. Contact

For data protection enquiries, please contact our Data Protection Officer:

Data Protection Officer

Genira Pte. Ltd.

68 Circular Road, #02-01

Singapore 049422

privacy@genira.ai

← Back to home